This is Part 3 of a three-part series analyzing a sophisticated ClickFix malvertising campaign. In this series, we cover the initial social engineering (Part 1), the malware’s evasion tactics (Part 2), and the detection strategies needed to identify it (Part 3).
Hunting and Detection Tips
Below are the highest-confidence behavioral points from this case that SOC analysts and IR teams can take away and look for in their own environments.
Win+R Launched PowerShell with Stealth Flags
Look for PowerShell execution with stealth flags, especially when the process tree suggests user-initiated execution (explorer.exe -> powershell.exe):
-ExecutionPolicy Bypass -NoLogo -NoProfile -WindowStyle Hidden
This combination is the signature of a user falling for ClickFix, as legitimate scripts rarely combine all 4 flags.
Detection Logic
Process Name: powershell.exe
Parent Process: explorer.exe (or direct Win+R execution)
Command Line Contains: (-ep bypass OR -executionpolicy bypass) AND -windowstyle hidden
While some legitimate deployment tools use these flags, the key differentiator is that explorer.exe is the parent process, and the full stealth flag combination is used. That should help to limit false positives in environments where this detection logic is utilized. It is recommended that alert actions are set as responses to this, not block actions.
Scheduled Task Executing Every Few Minutes
Look for any scheduled tasks with PT1M through PT5M intervals that run under the SYSTEM context, with locations that seem non-standard (such as AppData, ProgramData, and temp directories). While enterprise tools may poll this frequently (e.g., patch management, monitoring agents), these typically run as dedicated service accounts with known task names.
Detection Logic
Event ID: 4698 (Scheduled Task Created)
Task Trigger: TimeTrigger with Interval < PT10M
Run Level: HighestAvailable OR LeastPrivilege with SYSTEM context
Task Path: NOT in \Microsoft\ hierarchy
Conhost.exe –headless
Look for any execution of conhost.exe with the –headless argument.
Detection Logic
Process Name: conhost.exe
Command Line Contains: --headless
This is a standout anomaly. While the “—headless” flag exists for limited legitimate purposes, such as Windows Terminal and some developer tools, it’s rarely used in enterprise user workflows. Sigma and Splunk detections exist specifically for this because they’re such a reliable indicator.
DPAPI Unprotect Usage in Unexpected Contexts
DPAPI APIs are legitimate most of the time. Browsers use them to protect saved passwords, and many applications use them for credential storage; however, DPAPI usage in PowerShell, especially with DataProtectionScope.LocalMachine is relatively uncommon.
Detection Logic
For those with .NET assembly loading telemetry:
Assembly Name: System.Security
Process Name: powershell.exe
Context: User workstation (not server)
For those who have API monitoring:
Look for CryptUnprotectData being utilized with powershell or commandline
It’s essential to check which file is being read before DPAPI calls, whether the file is in a legitimate application directory, and the process tree.
Clipboard-Based Execution Patterns
Look for PowerShell commands that retrieve clipboard contents (Get-Clipboard), clear the clipboard (Set-Clipboard with no argument), and execute the retrieved content (Invoke-Expression, iex). This pattern is infrequent in business environments. Automations don’t typically load from clipboards; they use scripts, parameters, and or configuration files.
powershell -ep bypass -c "$repvar=(Get-Clipboard);set-clipboard;$repvar|iex|iex"
Detection Logic
Process: powershell.exe
Command Line Contains: Get-Clipboard AND (iex OR Invoke-Expression)
New Root CA Certificates on User Endpoints
Look for any new certificates added to the Trusted Root Certification Authorities stored, especially if they’re self-signed with CA; TRUE. Also, try to find any certificates with suspicious or impersonating common names. These should be treated as high-severity alerts without a change record. It’s a common technique for C2 TLS trust establishment and TLS interception, and it makes malicious infrastructure appear more legitimate.
Detection Logic
Windows Event Log:
Event ID: 4657 (Registry value modified)
Key Path Contains: ROOT\Certificates
Certificate Store Monitoring:
certutil -store -user Root | Review for unknown certificates
certutil -store Root | Review for unknown certificates
Ask the following questions:
- Was this certificate deployed by IT/MDM?
- Is it self-signed?
- Does the CN match known enterprise or public CAs?
- When was it installed relative to other suspicious activity?
Firewall Rules with Generic “System” Names
Look for new firewall rules with names designed to blend in, such as “SystemUpdate”, “WindowsUpdate”, or “Microsoft Defender”. Legitimate Windows firewall rules are typically created by installers with specific application names or by GPOs with documented rule sets. A rule named “SystemUpdate” allowing PowerShell is suspicious.
Detection Logic
Event ID: 4946 (Windows Firewall rule added)
Rule Name: Contains generic system-sounding terms
Application Path: powershell.exe, cmd.exe, wscript.exe
Hardening Takeaways
Below are tips for System Administrators, CISOs, and GRC analysts to help prevent these kinds of attacks in the environments they monitor and protect.
User Awareness Training
- Explicitly cover the standard wording that ClickFix tricks use (such as “press Win+R”)
- Show users examples of ClickFix lures
- Explain that pop-ups demanding some command execution are always malicious
- Train users to report rather than to comply mindlessly
Technical Controls
- Consider browser extensions that reduce malvertising exposure (uBlock Origin Lite, etc.), especially for high-risk user groups
- Evaluate DNS filtering solutions (ControlD, Cisco Umbrella) to block known malvertising infrastructure
- Review ad network blocking options at the network perimeter
- Enforce script signing for PowerShell
- Deploy Constrained Language Mode for standard users where appropriate
- Restrict certificate installation rights via GPO
Policy Consideration
- Evaluate whether Win+R execution of PowerShell can be restricted via AppLocker, WDAC, or a third-party program like ThreatLocker
Logging
Ensure that logging is enabled for the following system activity on user workstations:
- PowerShell Script Block Logging
- PowerShell Module Logging
- Scheduled Task Creation
- Additions to Trusted Root Certification Authorities
Incident Response Planning
In cases like this, it’s best to assume credential access is often an early goal, and it may be the only activity you’ll be able to prove in your own investigation.
Response Actions
- Password resets for all accounts accessed from compromised endpoints
- Session token revocation for cloud services (M365, Google Workspace, etc.)
- MFA re-enrollment where tokens may have been compromised
- Assume lateral movement potential if AD credentials were stored
Forensic Considerations
- Encrypted payloads and clipboard execution may make providing specific data exfiltration difficult
- Document what you can prove vs. what you assess as likely
- Plan remediation based on worst-case reasonable assumption, not just confirmed evidence
Conclusion
ClickFix works because it creates friction that is only resolved when the victim complies. The user couldn’t close the pop-up until they eventually followed the malicious ad’s suggestion.
Threat actors in this case paired social engineering with various evasion techniques:
- DPAPI-protected payloads that are difficult to analyze offline
- Headless console execution that hides windows from users
- Clipboard-based command staging that evades command-line logging
- SYSTEM-level scheduled task beacons with 3-minute intervals
- Certificate store manipulation for trusted C2 channels
- Anti-forensics to clear evidence of the initial delivery
All of these techniques are detectable. However, SOC analysts, threat hunters, and incident responders need the right detections in place to identify these behaviors and have enough time to thoroughly investigate their environments to catch any suspicious activity that may have been missed.
References
- LOLBAS Project, “Conhost.” https://lolbas-project.github.io/lolbas/Binaries/Conhost/
- Splunk Security Content, “Windows ConHost with Headless Argument.” https://research.splunk.com/endpoint/d5039508-998d-4cfc-8b5e-9dcd679d9a62/
- Sigma Rules, “Powershell Executed From Headless ConHost Process.” https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_conho…
